Cross-Namespace Privilege Escalation in ArgoCD Image Updater
CVE-2026-6388

9.1CRITICAL

Key Information:

Vendor: Red Hat
Status: Red Hat Openshift Gitops
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-6388?

A security flaw within the ArgoCD Image Updater enables an attacker, possessing permissions to create or modify ImageUpdater resources in a multi-tenant environment, to circumvent namespace boundaries. This vulnerability stems from inadequate validation processes, allowing unauthorized image updates on applications managed by different tenants. Consequently, application integrity is jeopardized due to these unauthorized alterations, underscoring the necessity for enhanced security measures in multi-tenant environments.

References

https://access.redhat.com/security/cve/CVE-2026-6388

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2458766

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-6388 Data

JSON

Red Hat

What is CVE-2026-6388?

References

CVSS V3.1

Timeline